From acde086abfa804917448d8e3bdca470917d0e658 Mon Sep 17 00:00:00 2001
From: Jaroslav Sevcik <jarin@chromium.org>
Date: Wed, 9 Mar 2022 09:20:01 +0000
Subject: [Backport] CVE-2022-1493: Use after free in Dev Tools

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3510307:
Use weak pointers for devtools http server handlers

This makes sure that we do not call HttpServer message handlers
on a deallocated HttpServer instance.

Interestingly, the weak pointer factory was already there, but
it was unused.

Bug: chromium:1275414
Change-Id: Ic0c33319bb3e67e3c15349d07acbaad64a7f62e3
Reviewed-by: Robbie McElrath <rmcelrath@chromium.org>
Reviewed-by: Danil Somsikov <dsv@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#979140}
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/services/network/public/cpp/server/http_server.cc | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/chromium/services/network/public/cpp/server/http_server.cc b/chromium/services/network/public/cpp/server/http_server.cc
index f390f38a2d2..a2cb2534f6c 100644
--- a/chromium/services/network/public/cpp/server/http_server.cc
+++ b/chromium/services/network/public/cpp/server/http_server.cc
@@ -105,8 +105,8 @@ void HttpServer::SendRaw(int connection_id,
     connection->write_watcher().Watch(
         connection->send_handle(),
         MOJO_HANDLE_SIGNAL_WRITABLE | MOJO_HANDLE_SIGNAL_PEER_CLOSED,
-        base::BindRepeating(&HttpServer::OnWritable, base::Unretained(this),
-                            connection->id()));
+        base::BindRepeating(&HttpServer::OnWritable,
+                            weak_ptr_factory_.GetWeakPtr(), connection->id()));
   }
 }
 
@@ -180,9 +180,9 @@ bool HttpServer::SetSendBufferSize(int connection_id, int32_t size) {
 }
 
 void HttpServer::DoAcceptLoop() {
-  server_socket_->Accept(
-      mojo::NullRemote(), /* observer */
-      base::BindOnce(&HttpServer::OnAcceptCompleted, base::Unretained(this)));
+  server_socket_->Accept(mojo::NullRemote(), /* observer */
+                         base::BindOnce(&HttpServer::OnAcceptCompleted,
+                                        weak_ptr_factory_.GetWeakPtr()));
 }
 
 void HttpServer::OnAcceptCompleted(
@@ -210,8 +210,8 @@ void HttpServer::OnAcceptCompleted(
         connection->receive_handle(),
         MOJO_HANDLE_SIGNAL_READABLE | MOJO_HANDLE_SIGNAL_PEER_CLOSED,
         MOJO_TRIGGER_CONDITION_SIGNALS_SATISFIED,
-        base::BindRepeating(&HttpServer::OnReadable, base::Unretained(this),
-                            connection->id()));
+        base::BindRepeating(&HttpServer::OnReadable,
+                            weak_ptr_factory_.GetWeakPtr(), connection->id()));
   }
 
   DoAcceptLoop();
-- 
cgit v1.2.1